Home > Articles > Security > Network Security

  • Print
  • + Share This
From the author of

The Future of IDSs

The future of IDSs is unknown. Although we have shown the benefit of such systems, they are limited because they are reactive. This section outlines the issues and possible solutions to dealing with outdated IDSs.

The Changing Landscape

As shown above, the technology to defeat IDSs continues to evolve. In addition, the milieu changes; IDSs must attempt to keep pace. Table 1 lists future trends that pose threats to IDSs and also lists potential solutions.

Table 1: Potential Solutions to Future Difficulties in IDS



Encrypted traffic (IPSec)

Embed IDS throughout host stack

Increasing speed and complexity of attacks

Use strict anomaly detection

Switched networks

Monitor each host individually

Increasing burden of data to interpret

Use statistically based implementation

The following sections examine each of these growing problems, along with a potential solution.

Embedded IDSs

IPSec is becoming a popular standard for securing data over a network. IPSec (short for IP Security) is a set of security standards designed by the Internet Engineering Task Force (IETF) to provide end-to-end protection of private data. Implementing this standard allows an enterprise to transport data across an untrustworthy network such as the Internet, while preventing hackers from corrupting, stealing, or spoofing private communication.

By securing packets at the network layer, IPSec provides application-transparent encryption services for IP network traffic, as well as other access protections for secure networking. For example, IPSec can provide for end-to-end security from client-to-server, server-to-server, and client-to-client configurations.

Unfortunately for IDSs, IPSec becomes a dual-edged sword. On one hand, IPSec allows users to securely log into their corporate network from home using a VPN. On the other hand, IPSec encrypts traffic, thus rendering promiscuous-mode IDSs useless. Therefore, if a hacker compromises a remote user's machine, he will have a secure tunnel through which to hack the corporate network.

To correct for IPSec, future IDSs might need to be embedded throughout each level of a host's TCP/IP stack. This will allow the IDS to watch data as it is unencapsulated and processed through each layer of the stack, and to analyze the decrypted payload at higher levels.

Strict Anomaly Detection

Another growing problem is that as both the speed and complexity of attacks continue to increase, IDSs are becoming less able to keep pace. One answer to this dilemma might be the growing use of strict anomaly detection. This means that every abnormality, no matter how minor, is considered a true positive alarm.

Again, such a method would require that the IDS move onto individual hosts rather than the network as a whole. An individual host should have a more predictable traffic pattern, as opposed to the entire network. Each critical host would have an IDS that detects every anomaly. Then the administrator can make rules (exceptions) for acceptable variations in behavior. In this way, IDSs monitor behavior in much the same way that firewalls monitor traffic.

How would we design an IDS that performs host-based, strict anomaly detection? In this case, we are dealing with individual hosts that are somewhat isolated by firewalls and routers, so we can customize our IDS for each unique host. Because we are dealing with the host only, we know that any packets received are destined for that specific host. We can then set our sensitivity very high to look for any abnormality.

For example, at the packet level, our host-based anomaly detector would scan packets as they are processed up the stack. We could ask the IDS to monitor any of the following:

  • Unexpected signatures
  • TCP/IP violations
  • Packets of unusual size
  • Low TTL

Invalid checksums

Similarly, at the application level, we can ask our anomaly detector to scan for unusual fluctuations in the following system characteristics:

  • CPU utilization
  • Disk activity
  • User logins
  • File activity
  • Number of running services
  • Number of running applications
  • Number of open ports

Log file size

When any abnormality is detected, an alert is sent to the centralized console. This method has a high sensitivity but, unfortunately, generates a great deal of data.

Host- vs. Network-Based IDS

The increasing use of switched networks hinders IDSs that monitor the network using promiscuous-mode passive protocol analysis. It is therefore becoming more difficult to monitor multiple hosts simultaneously. There have been attempts to rectify this using spanning (spy) ports to monitor multiple ports on a switch, but to date such solutions have been ineffective. In addition, the growing use of encrypted traffic foils passive analysis off the wire. Thus, IDSs might be moving more toward host-based monitoring.

  • + Share This
  • 🔖 Save To Your Account